One Last Thing

Cyber Security Issues are Here and Now

Normally, when I’m asked to organize an event, I ensure that the subject matter is something in which I have some expertise. I made an exception to that rule earlier this year when the Conference Board of Canada asked me to put together a program for one of their highly regarded security conferences. They told me to select what I thought was the most pressing security related issue and, notwithstanding my lack of personal expertise, I was able to make the selection without hesitation: Cyber Security.

With the assistance of some friends and working associates, we have assembled a collection of international and domestic experts with first hand operational experience in the full spectrum of cyber security issues. And what a spectrum it is.

I remember being wowed at being able to send what I typed (admittedly one fingered) to someone on a different computer or seeing it printed by making a keystroke. Remember the DOS days of ‘Shift F7’? At the Canadian Police Association, we were among the first national law enforcement groups to experiment with a website and some new fad called the Internet.

Very little is done manually anymore. We file important information, activate ­sensitive systems, communicate, and even transfer money digitally. Our world has ­literally been changed and indeed modernized with the advent of a cyber capacity that makes the process of communication as important as the content being communicated.

The ingenuity, and regrettably cunning self-interest, of human nature has also meant that our new computer-enabled world has produced a dizzying array of cyber vulnerabilities. As we become more and more dependent on that capacity (and increasingly forget where that power switch even was), the concurrent need for vibrant, resilient, and literally intelligent, cyber security measures has become paramount.

For law enforcement, which is traditionally reactive in nature, this has added a new way of looking at crime and its investigation and prevention. Ironically, the new security related focus, thrust upon us after (and really before) 9-11, that prioritizes prevention (rather than prosecution) through intelligence-led investigation is actually better suited to this new cyber world.

In that sense, it has never been more true that the capacity to appreciate the security required is inextricably linked to the capacity to understand and anticipate both the vulnerability and the threat that seeks to exploit it. This nasty new lesson no doubt dawned on the folks in Tblisi who suddenly saw computer screens go blank as systems were overwhelmed and immobilized in advance of rumbling tank treads.

Understanding the full spectrum of threats, and anticipating the next generation of ‘malware,’ ‘botnets,’ ‘phishing’ and other maladies (whose names make sense once you understand what they do) have also moved up the operational list of priorities for any organization that communicates or stores data. You can have the best physical perimeter security or biometric personnel credentialing available, but if your operational cyber infrastructure is compromised… things don’t work… and the public loses that essential service. Commercial and financial institutions that have likewise embraced the cyber reality are equally dependent on the viability and integrity of their data security systems. Different product or “information” perhaps, but the same result if compromised. Current, effective cyber security is no longer an ‘add on’ for modern industry or commerce; it’s a business continuity essential.

In a similar way, public protection ­agencies, such as law enforcement, emerg­ency medical and intelligence organizations, even the military, need to adapt priorities and organizational structures to ensure that the marvel of modern technology is an asset and not a vulnerability. As post 9-11 efforts have shown, tapping into the cyber ­communications networks of the bad guys provides incredible intelligence and preventive capacity – just ask Dhiren Barot, Khalid Sheikh Mohammed, or Younis Tsouli, who are sitting in well-deserved jail cells.  

If all of this is not challenge enough, several important issues are far from being fully resolved. Primary among them is how this new cyber ‘information’ can include recognition by private sector sources of a hacking attack or vulnerability that needs to be shared with government. Based on even my steep learning curve, it appears obvious that ensuring that government is willing to accept and then act on such information remains the major challenge. The usual ‘no news is good news’ bureaucratic approach just won’t cut it anymore with these clearly heightened cyber stakes.

At the same time, the age-old balance between security and privacy is again engaged, and with the increased cyber monitoring capacity of the State, all of us (especially those in law enforcement and security) must always remember that privacy is an essential component of liberty. Today’s cyber data world also creates a kind of reverse privacy issue where there is now a legitimate public entitlement to know when their personal data has been compromised while being held in private cyber data bases.  

Finally, and most importantly, the source of such cyber attacks are as likely to be from Brazil or China, as they are from Boston or Calgary. Confronting, and even taking proactive defensive measures (which I suspect is where we’re headed) across increasingly notional national boundaries is a challenge – especially when the foreign government is, shall we say, part of the problem and not part of the solution.

One thing is certain; there’s no going back and it’s a battle we can’t afford to lose.

Associate Editor Scott Newark, a former Crown Prosecutor, is currently the Vice Chair/ Operations of the National Security Group.
© FrontLine Security 2008